Professional Documents
Culture Documents
TABLE OF CONTENTS: Executive Summary...........................................................................................................1 Virus and Cyber Weapon Threat.......................................................................................2 Exposure to Substantial Insider Risks.............................................................................3 Most Enterprises Are Non-Compliant with Mandatory Security Regulations..........................3 SSH Key Remediation as a Process........................................................................................5 Conclusion......................................................................................................................6
Executive Summary
Sloppy management of authentication keys for SSH, an encryption protocol used for automation in IT systems, risks catastrophic IT failure in banks, government and industry. Most organizations have no process for managing, removing, and changing access-granting keys. This violates SOX, FISMA, PCI, and HIPAA, all which require proper control of access to servers and proper termination of access. A cyber weapon or virus using SSH keys to spread could destroy IT infrastructure and online data of an enterprise or government agency within minutes. Similar attacks were rst used by the Morris worm, which took down the Internet in 1988. IT staff can use poorly managed SSH keys to create permanent backdoors to production servers, bypassing all normal privileged access management and session auditing systems. Risky insiders include anyone who has ever had access to a server, including former system administrators, consultants, and anyone with access to backups or decommissioned hardware. The problem has been largely overlooked by IT security auditors, because the it is highly technical and hidden inside the system administrator domain in a distributed environment where no single person has had full visibility of the problem. Every organization should audit their SSH keys and other automated access mechanisms (including Kerberos). Furthermore, they should set up and enforce policies for managing automated access and remedy existing risks or face an existential threat when viruses using SSH keys to spread inside an organization emerge. Remediation includes removing unused keys, enforcing controlled key setup processes, automating key setups to reduce number of administrators who can set up keys (and to save costs), changing all keys regularly, and controlling what can be done with each key. This white paper focuses on SSH user key remediation as a process which all organizations utilizing SSH should be aware of and consider implementing. It will outline a basic process and set of tools which can be utilized to identify the existing trust relationships in your environment, bring legacy keys under control, and automate the creation, deployment, rotation and removal of keys.
All major security regulations - SOX (Sarbanes-Oxley for public companies), FISMA (US government), HIPAA (Health information), PCI (Credit card processing) - as well as NIST standards and equivalent international standards - require controlling access to servers and proper termination of access. These standards are being violated by improper management of SSH keys that allows permanent backdoors to be left on critical servers, bypassing normal controls for privileged access. Key-based access is extremely widespread, and it is the best practice for automated and scripted access to servers. While as safe as anything when properly managed, it turns out nearly all organizations have been sloppy in managing key-based access. Similar problems also abound with other automated access mechanisms, including Kerberos and certicate-based access. The situation is not a result of any vulnerabilities or aws in the SSH protocol itself or in the most commonly used implementations of the protocol (including commercial Tectia SSH and the open source OpenSSH products). Rather, it is a result of years of lack of clear guidelines or policies relating to SSH keys, lack of understanding of the scope and implications of the problem, insufcient time and resources to dig into the issue to gain understanding or develop solutions, earlier lack of good tools and guidelines for solving key management issues, and perhaps a general reluctance of auditors to ag issues for which they dont know effective solutions exist. In addition to this, identity and access management as a eld has focused primarily on interactive user access with little consideration of automated access. The fact of the matter seems to be actually that there are signicantly more permanent trust relationships for automated access than interactive user accounts in many environments. The problem has probably gone under radar because it is deeply technical and obscure, in the domain of system administrators. Each system administrator typically only sees a small corner of the IT environment, and does not have a full picture. Administrators and their managers are often so busy that while they may recognize that there is a problem, they simply have not had time to analyze the scope or possible implications of the problem. Finally, to date, many IT security auditors do not have SSH user key management on their checklist in relation to its role in identity access governance, and the issue has not been sufciently highlighted in implementation and auditing guidelines for SOX, PCI, FISMA, or HIPAA connecting access control to authentication methods. Even many CISOs (Chief Information Security Ofcers) are only vaguely aware of the problem, and many CIOs and IT risk management professionals have never heard of it. Yet at the same time it represents an existential risk for any major bank or enterprise and a systemic risk for the banking system or a developed country.
A further risk mitigation technique is to dene certain internal boundaries within the organization, and strictly control what key-based trust relationships can cross which boundaries and in which direction, and enforce strict IP address restrictions and forced command restrictions at least for authorized keys involving trust relationships crossing such boundaries. It should be understood that while a key manager can reliably discover all authorized keys on the servers that it has access to, it is not possible to guarantee nding all copies of private keys. Some copies of private keys could be on desktops and laptops that are not scanned, on off-line USB memory sticks, backups, powered off machines or even printed on paper for later manual entry. Thus one can never say with absolute certainty who can currently log into an account with an authorized key. Only after rotating all keys can one be sure that previously copied keys cannot be used.
Conclusion
Nearly all Fortune 500 companies and major government agencies appear to be non-compliant in terms of how SSH user keys are managed in relation to access control and authentication. In general the major security issues which organizations consider on a day to day basis are primarily focused in relation to virus risks, hacking risks, and rogue employee risks. Nonetheless, the identity access governance around automated accounts directly correlates to these obvious risks in the most simple terms of cause and effect. Without the proper management of SSH user keys and proper remediation of legacy environments, organizations face signicant increased risks to the above mentioned threat vectors, even existential threats. This is however not an issue unique to large enterprises. Organizations of all sizes face challenges in managing SSH user keys. In fact, most of the next 10,000 largest companies in the world are also exposed to the same issues. On the other side of the coin, even customers with less than 20 servers in smaller security-sensitive organizations can benet from automated systematic key management practices. It all depends on the risk tolerance in terms of managing the access control of the critical servers. In summary, while SSH is considered the gold-standard for data-in-transit security, the current threat landscape requires organizations to rethink how they are managing access to their SSH networks. The SSH protocol has done a superb job in protecting data-at-transit, but effective management and oversight of the access to the SSH environment is now becoming a major concern. With Universal SSH Key Manager, organizations of all types and sizes can quickly and easily take control of their secure shell environment, remediate the usage of their SSH user keys, and meet todays modern security challenges while fullling or exceeding compliance mandates such as SOX, PCI, FISMA, and HIPAA. To get started with SSH key remediation in your environment, please visit: www.ssh.com/remediation or contact sales@ssh.com.
www.ssh.com